Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 25 Oct 2013 18:13:32 +0200
From:      =?ISO-8859-1?Q?Olivier_Cochard=2DLabb=E9?= <olivier@cochard.me>
To:        VANHULLEBUS Yvan <vanhu@freebsd.org>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject:   Re: Can't configure a simple IPSec (manual SA/SP)
Message-ID:  <CA%2Bq%2BTcrX%2Bs8FqE=dSwBUDkFnq_rMMBmb1cvRDS7uMgj8qfxHUw@mail.gmail.com>
In-Reply-To: <20131025133517.GA5588@zeninc.net>
References:  <CA%2Bq%2BTcqJwNXPOEWeh_FcnLu5KE7cyU7e1h2Q4dc==8D441nRWA@mail.gmail.com> <20131025133517.GA5588@zeninc.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 25, 2013 at 3:35 PM, VANHULLEBUS Yvan <vanhu@freebsd.org> wrote=
:

> Do you use some bridging configuration ? Do you have some kind of
> filtering/NAT rules ? Some complex routing tables ?

No bridging, no firewall, no complex routing: the IPSec gate Fhave
only one default gateway.

>
>
> Can you send the output (on your IPsec gate) of:
> sysctl -a net.inet.ip.fastforwarding

[root@R2]~# sysctl -a net.inet.ip.fastforwarding
net.inet.ip.fastforwarding: 1

I didn't understand why you ask me the status of the fastforwarding:
Then I've disabled it, and re-try my IPsec configuration=85 Problem
solved !
I've found the notice regarding fastforwarding being not compatible
with IPSec in the inet(4) man page: I was not aware of this
compatibility issue.
I've proposed a little improvement on the rc.d/ipsec script for
checking the fastforwarding state : PR/183303.

Thanks a lot's Yvan !!



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bq%2BTcrX%2Bs8FqE=dSwBUDkFnq_rMMBmb1cvRDS7uMgj8qfxHUw>